Ever wonder about the origins of the term "bug" in computing? Back near the beginning of the digital computing era about the end of World War II, computers were gigantic and used vacuum tubes and mechanical relays to produce calculations.
One night at Harvard, one of these early behemoths crashed and the machine's tenders were having a devil of a time figuring out the cause. Finally, the technicians located a moth crushed in the jaws of one of the massive machine's thousands of mechanical relays. This "bug" was blocking the flow of electricity, causing the malfunction.
Given that today's PCs are many orders of magnitude more complex ? and more powerful ? than those early devices, there's no reason to expect bugs are going to go away any time soon. Often, bugs turn up where (and when) you least expect.
That turned out to be the case over the weekend.
Microsoft and Mozilla have been having a public argument over which of them is responsible for a problem that recently cropped up whereby, if you were running Internet Explorer and had Firefox 2.x installed, the combination set up a critical security situation that could leave you at the bad guys' mercy.
Mozilla patched what its developers saw as Firefox's (and by extension, Thunderbird's) problem.
Microsoft, meanwhile, claimed that all IE does is pass a uniform resource identifier (URI) off to Firefox as it's supposed to do. It's Firefox's job to validate that input before it puts that URI to use. That is, proper validation of the URI assures that it's not a booby trap. The argument is over who should provide that validation.
In this case, the combination of the two programs' behaviors could lead to a situation whereby a malicious attacker could cause a classic buffer overflow error and, from there, to completely take over control of your PC.
Now, Mozilla developers have found that Firefox can be used to do something very similar to what they have been pointing the finger at IE about.
A post on the Mozilla Security Blog yesterday explains:
"Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry point. While browsing with Firefox, a specially crafted URL could potentially be used to send bad data to another application.We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5."
Obviously, Mozilla views the problem as a bug, not just an "issue."
So another patch (or patches) from Mozilla is in the works. We'll keep you informed when that new patch surfaces.
In the meantime, despite the fact this is another zero-day vulnerability, there have been no attacks (that we know of) so far. To their credit, Mozilla's developers have a record of fixing bugs quickly.
And what about Microsoft and IE?
As I said on Saturday, I suspect that Microsoft will quietly do something in an upcoming patch or service pack that mitigates the problem on IE's end of things. Whether you want to call it a bug or not is up to you. It's definitely an "issue."
I just wish Microsoft would be more forthcoming about publicly pointing out when it fixes these kinds of things. It would make many of us feel a little more secure if it just came out and said: "Hey, you remember that 'issue' about IE not validating URIs before passing them to other programs like Firefox? Here's a fix for it." (Wishful thinking.)
In the meantime, my guess is that you should expect to see more cross-browser security bugs/issues crop up. After all, IE doesn't just pass URIs to Firefox.
That first bug was taped into the log. It is still there. In fact there is a photo of the offending moth:
http://www.history.navy.mil/photos/images/h96000/h96566kc.htm
If you want to see the real thing it is in the Naval Surface Warfare Center Computer Museum at Dahlgren, Virginia.